The cyber-attack directed at Twitter last week was the online equivalent of an explosive device being detonated.
Around 130 high-profile accounts were hacked in an attempt to solicit bitcoin. Former U.S. President Barack Obama, Bill Gates, Apple, and Uber were among those targeted in an attack that lasted just 30 minutes. Access is thought to have been achieved internally through Twitter’s administrative panel, perhaps with the assistance of an employee.
The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.
As legions online unpack the details of this brief, but effective attempt, there are some crucial and unforgettable takeaways for compliance professionals that must be digested and understood.
Four lessons learned
The first is to recognize the hackers’ remarkable success. The attack worked. Around $120,000 worth of bitcoin was fraudulently obtained. This is actually a relatively meager amount, considering the cumulative number of followers for each account easily surpasses 100 million people. The consensus is that this cyber-attack could have been a lot worse.
What this demonstrates is that an attack need not last very long, nor be swallowed by very many people, for it to be damaging. Apple is one of the world’s richest firms. A smaller attack on any other company could be life-threatening. This is an excellent point to underline when stressing the fundamental importance of cyber-security at your firm.
The second consideration to bear in mind is the celebrity and renown of those targeted. It is particularly embarrassing for Twitter that the accounts belonged to the world’s most recognizable brands, firms, and faces. The implications are disturbing: Had Donald Trump been targeted—and it seems he wasn’t—then the direct messages of a sitting U.S. president would have been exposed, with unpredictable results.
For firms, this is a reminder that no one is exempt. Indeed, it is troubling to recognize the planet’s most successful companies and richest people are vulnerable online—and even more alarming that it happened at a tech-savvy company like Twitter.
This doesn’t mean that we should be fatalistic (e.g., “If Apple can’t protect themselves, then how can we be expected to?”). What it means is we must be constantly aware of the threat and be vocal in expressing the need for frequently re-evaluating cyber-security.
This ties in to the third point, which is that such attacks have a real cost. Twitter’s share price actually dropped in the wake of the hack. For organizations that do not have Twitter’s clout (i.e., around 99 percent of firms), this is sobering. Again, this is not a reason to despair but should be a touchpoint to those reinforcing the cyber-security message.
The fourth point to take on board is the threat of social engineering. This appears to be the means by which the hackers gained access. Social engineering might justly be described as the Achilles heel of any cyber-defense. As we are all human, it is likely to be a perpetual problem. The best means of avoiding it are by a.) imposing further obstacles that make access via someone’s details less effective and b.) constantly (but engagingly) reminding employees of the danger.
What firms can do
There’s very little we can predict with any confidence, but we can be sure there will be more attacks like this to come. Far from meekly accepting them as an unwelcome inevitability, a number of things can be done in defense.
The first, and most straightforward, is to spread the word.
Cases like that which struck Twitter provide the ideal context in which to reinforce cyber-security messages with your firm. This was reflected in comments by Andrea Barisani, head of hardware security at Finnish cyber-security company F-Secure, who told WIRED.com he was actually happy that “the problem was used in a very vocal and obvious way rather than something really subtle.”
Barisani’s point is that the very public nature of the Twitter attack has drawn attention to cyber-security and gives others the chance to re-examine their own defenses. It is the perfect example to which a chief security officer can point to when they go to their boards asking for more resources and support.
The second is more practical: re-evaluate security.
This will involve an audit of existing defenses, identifying weak spots, and making sure robust measures are reinforced. This is a good opportunity to ask questions and probe into cyber-security you might already consider secure. Ask yourself: “Is this really good enough?”
Now that many are working from home, this question has acquired new significance. Though working from home has many advantages, one if its chief disadvantages is that remoteness can easily become sloppiness in terms of cyber-security. To address this, employees need to be made aware of just how easily information can be obtained and the means by which they can protect themselves and their firms. That many employees are likely to have a Twitter account themselves means this case study should carry extra resonance.
Further details of the Twitter hack will no doubt be revealed in the days to come. It is imperative that, whatever these details reveal, the attack should act as a lesson and a guide for cyber-security professionals.
The very least we can do is to disseminate this message for absorption. Every one of us, after all, is on the cyber-security front line.
The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.